Skip to main content

Track Authentication Attempts and Prevent Brute-force Attacks

Project description

License: AGPL-3

Tracks Authentication Attempts and Prevents Brute-force Attacks

This module registers each request done by users trying to authenticate into Odoo. If the authentication fails, a counter is increased for the given remote IP. After a defined number of attempts, Odoo will ban the remote IP and ignore new requests. This module applies security through obscurity (, When a user is banned, the request is now considered as an attack. So, the UI will not indicate to the user that his IP is banned and the regular message ‘Wrong login/password’ is displayed.

This module realizes a call to a web API ( to try to have extra information about remote IP.


You can use these configuration parameters that control this addon behavior:

  • auth_brute_force.whitelist_remotes is a comma-separated list of whitelisted IPs. Failures from these remotes are ignored.
  • auth_brute_force.max_by_ip defaults to 50, and indicates the maximum successive failures allowed for an IP. After hitting the limit, the IP gets banned.
  • auth_brute_force.max_by_ip_user defaults to 10, and indicates the maximum successive failures allowed for any IP and user combination. After hitting the limit, that user and IP combination is banned.


Admin user have the possibility to unblock a banned IP.


This module generates some WARNING logs, in the following cases:

  • When the IP limit is reached: Authentication failed from remote ‘x.x.x.x’. The remote has been banned. Login tried: xxxx.
  • When the IP+user combination limit is reached: Authentication failed from remote ‘x.x.x.x’. The remote and login combination has been banned. Login tried: xxxx.


List of Attempts

/auth_brute_force/static/description/screenshot_attempts_list.png Try me on Runbot

For further information, please visit:

Known issues / Roadmap

  • Remove 🐒 patch for in v12.
  • Depending of server and / or user network configuration, the idenfication of the user can be wrong, and mainly in the following cases:
    • If the Odoo server is behind an Apache / NGinx proxy and it is not properly configured, all requests will use the same IP address. Blocking such IP could render Odoo unusable for all users! Make sure your logs output the correct IP for werkzeug traffic before installing this addon.
  • The IP metadata retrieval should use a better system. See details here.

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smash it by providing detailed and welcomed feedback.




Odoo Community Association

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

To contribute to this module, please visit

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Built Distribution

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page